Transaction cards such as, for example, credit cards, debit cards, bank cards, charge cards, smart cards and the like, have become increasingly popular for purchasing goods and services and for conducting other transactions. A transaction card typically includes information related to the issuer's name and logo, an account number, an expiration date and the cardholder's name. The cards may also have other information printed on the card to represent the account or the card member such as, for example, a serial number, a group number, a promotion number, a card type number, a plastic issuance number and/or the like. For many transaction cards, the information printed on the card is also contained within a magnetic stripe, a bar code, a transponder and/or an integrated circuit (microchip) for automatic downloading/reading by a reader.
Many card transactions are commenced by inserting, or sliding a card through, a card reader which automatically downloads the card information, thereby allowing the information to be used during the authorization process without the need for manual input or review of the card information. However, because of the substantial increase in fraudulent use and theft of transaction cards, the use of the card information is often supplemented by various fraud prevention techniques, such as requiring a signature to verify the consumer's agreement to the transaction, only shipping to the address associated with the transaction card, or the entry of a PIN number to verify the consumer's authority to use the transaction card. Certain card issuers (e.g., banks) may also incorporate the consumer's picture onto the face of the transaction card to give the merchant an additional verification procedure.
While the use of a signature, PIN or picture is effective for fraud reduction when the cardholder presents a card to a merchant, these options are not as effective, and may not be available, for other transactions. Particularly, transactions which do not require face-to-face contact between a consumer and merchant, such as the use of a transaction card to purchase items through the Internet or over the telephone (e.g., mail order). Moreover, many transactions may be alternatively completed without using the physical transaction card. For example, a consumer or merchant may simply key in the transaction card number into a POS device keypad or an ATM keypad.
When conducting Internet, telephone or keypad transactions, a cardholder may only need to provide a card account number and expiration date to allow the merchant to charge a particular account and verify that the transaction card is valid. Other verification information, such as a PIN number, is usually not disclosed because the PIN is typically memorized by the cardholder and never disclosed to a merchant. Because merchants often only request limited information to conduct a transaction over the Internet or the telephone, an increased potential for fraud exists due to the increased availability of this general information. In other words, regardless of a consumer's possession of the physical transaction card, a consumer can still fraudulently obtain and provide this general information.
Particularly, cardholders often provide a transaction card number to telemarketers, merchants, bank tellers and Internet sites, thereby allowing a merchant or clerk to retain the transaction card number and associated information for later fraudulent use. Moreover, a person may overhear a transaction card number being disclosed over the telephone or, with the increase of mailbox thefts; a person may obtain a transaction card number from a billing statement or promotional literature. Furthermore, advanced computer operators are able to intercept transaction card numbers which are transmitted over modems and/or the Internet. Accordingly, when a merchant simply requests a transaction card number from a consumer, it is difficult for the merchant to ensure that the consumer placing the order has the transaction card in his or her possession and/or is the true card member, rather than using a stolen account number.
With the increased popularity in online shopping, the numbers of Card Not Present (CNP) transactions have increased rapidly in recent years. CNP transactions carry an additional risk of fraud, as the merchant has little assurance that the consumer using the charge card account number to facilitate a purchase transaction is in fact the authorized user of the charge card. In order to add assurance that the consumer is in possession of the charge card, many merchant web sites now require the consumer to enter a card security code or Card Identification Number (CID), often printed on the front and/or reverse side of the charge card.
However, as is the case with providing transaction card information to a merchant, the risk of an employee of the merchant obtaining the transaction card information and using it fraudulently remains, even with the use of a CID. Therefore, some card issuers have sought to overcome this problem by bypassing the merchant and providing a static password or CID directly to the card issuer to be paired with other transaction card information for authorization. However, such a process has required online merchants to make significant changes to their web sites, has extended the time for completing the purchasing process, and has required consumers to complete a sign-up process for such an additional service. For example, merchant web sites employing this type of security configuration often rely on a separate window or pop-up to collect the CID from the card holder. In this manner, the CID can be isolated from other transaction card information and transmitted directly to the card issuer, thereby eliminating the possibility of exposing the static password or CID to the merchant. However, many consumers abort a transaction when required to enter additional information into a pop-up window, or when required to sign-up for a new security service in order to complete a transaction. Moreover, such a system for bypassing a merchant may not be necessary if a dynamic CID is used because the CID changes with each transaction.
While the CID provides an additional layer of assurance that the card is in the possession of the purchaser, it does not remedy the problems associated with credit card fraud resulting from unauthorized recording of credit card information, including the CID, or theft of the physical credit card. Due to the security concerns discussed above, some merchants may remain reluctant to accept online orders through the use of a transaction card when the shipping address is different than the billing address. Instead of a PIN which is associated with an account and provides access to an account, online merchants generally require entry of a CID, which is printed on the transaction card but does not provide automatic access to an account. This sort of CID is static, and does not guarantee that the physical card is in the possession of the consumer.
Accordingly, a system is needed which allows the consumer to disclose a dynamically generated card identifier (dynamic CID) that is associated with the account number, yet changes with each purchase transaction. Moreover, there is a need for a system and method for creating a dynamic CID that may be entered into a standard CID field, which is a common security feature of many of today's online merchant order forms, without requiring the modification of existing online merchant order forms. Such additional security measures may enable issuers to accept more of the risk, and at the same time, reduce the security and extra data collection requirements imposed on merchants.